This news has shaken this quiet week end of February, as Facebook officials told to Ars Technica they discovered in January several computers belonging to mobile application developers hacked using a zero-day Java attack. According to a consolidated attack schema, the malware installed a collection of previously unseen malware.

The attack occurred within the same timeframe as the hack that hit Twitter and exposed cryptographically hashed passwords of 250,000 users, and apparently targeted other companies completely unaware of the attack, until they were notified by Facebook.

According to the information available the attack showed several interesting (and nowadays common) patterns:

The attackers used a “watering hole” attack, compromising the server of a popular mobile developer Web forum and using it to spring the zero-day Java exploit on site visitors. The attack was injected into the site’s HTML, affecting any visitor who had Java enabled in his browser, regardless of the level of patching of the machine.

The exploit was used to download malware to victims’ computers affecting both Windows and Apple computers.

As usual, I would say, Antivirus software was unable to detect the malware, neither the malware was slowed down by the fact that the machines were patched.

Facebook said it is working with FBI to investigate the attack. Only the latest example of a class of targeted sophisticated threats increasingly common and aggressive against high-profile targets including tech industries, media, and now social networks. As a matter of fact (state sponsored ?) cyber criminals are actively exploiting 0-Day vulnerabilities targeting Java (and Adobe Flash), in this 2013 that, in only two months, is proving to be dramatic for the Infosec Landscape.